ISO 45001
Risk Register

1. Risk Identification

The first step in creating a risk register is to identify all potential hazards and risks associated with the organization’s operations. This may include risks associated with machinery, equipment, chemicals, work processes, human factors, and other hazards present in the workplace.

• Routine and non-routine work activities
• Equipment, materials, and physical conditions
• Human factors (fatigue, competence, stress)
• Emergency situations and external factors

2. Risk Assessment

Once all potential risks have been identified, they must be assessed in terms of their likelihood and potential impact. This assessment should take into account the severity of the consequences, the frequency of occurrence, and the level of exposure. Common approaches include risk scoring matrices that multiply likelihood by severity to produce a risk rating.

3. Risk Prioritization

Based on the risk assessment, each identified risk should be prioritized in terms of its significance to the organization. High-priority risks require immediate attention and more robust controls, while lower-priority risks can be addressed at a later time or managed with simpler controls.

4. Risk Mitigation

For each identified risk, a plan should be developed to mitigate or manage the risk using the hierarchy of controls: elimination, substitution, engineering controls, administrative controls, and personal protective equipment (PPE). The plan should also outline the resources required to implement the risk mitigation strategy.

5. Risk Monitoring

The risk register should be regularly reviewed and updated to ensure that all risks are being managed effectively. This includes ongoing risk assessments after incidents or changes, periodic reviews during management review, and updates to mitigation strategies as needed. Monitoring and measurement processes ensure controls remain effective.